CVE-2019-17556: Deserialization of Untrusted Data

December 4, 2019 (updated December 13, 2019)

Apache Olingo provides the AbstractService class, which is public API, uses ObjectInputStream and does not check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker’s code in the worse case.

References

mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
nvd.nist.gov/vuln/detail/CVE-2019-17556

Detect and mitigate CVE-2019-17556 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →